On Thu, Sep 10, 2015 at 08:57:50PM +0200, Michael Ströder wrote:
> > One might also imagine an alternative interface:
> >
> > example.com secure match=nexthop:dot-nexthop:dnssec-hostname
> >
> > Where "dnssec-hostname" matches the hostname only if securely
> > obtained. This would not requi
Viktor Dukhovni wrote:
> On Thu, Sep 10, 2015 at 08:39:38PM +0200, Michael Ströder wrote:
>
>> Maybe there should be some additional text for 'dane-only' in [1]?
>> I'm not sure about the correct wording though.
>
> I think it is fine as-is. The "dane-only" security level requires
> that a peer
On Thu, Sep 10, 2015 at 08:39:38PM +0200, Michael Ströder wrote:
> Maybe there should be some additional text for 'dane-only' in [1]?
> I'm not sure about the correct wording though.
I think it is fine as-is. The "dane-only" security level requires
that a peer be DANE authenticated, which means
Viktor Dukhovni wrote:
> On Thu, Sep 10, 2015 at 07:44:19PM +0200, Michael Ströder wrote:
>
>> Looking at [1] it's not clear to me whether it's possible to require MX RRs
>> of
>> a recipient domain to be DNSSEC signed. Any other configuration option for
>> that?
>
> Postfix, at present, does n
On Thu, Sep 10, 2015 at 07:44:19PM +0200, Michael Ströder wrote:
> Looking at [1] it's not clear to me whether it's possible to require MX RRs of
> a recipient domain to be DNSSEC signed. Any other configuration option for
> that?
Postfix, at present, does not support requiring a DNSSEC-signed M
HI!
Looking at [1] it's not clear to me whether it's possible to require MX RRs of
a recipient domain to be DNSSEC signed. Any other configuration option for that?
Ciao, Michael.
[1] http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
smime.p7s
Description: S/MIME Cryptographic Signat
